GCKSign: Simple and efficient signatures from generalized compact knapsack problems

In 2009, Lyubashevsky proposed a lattice-based signature scheme using the Schnorr-like identification and the Fiat-Shamir heuristic and proved its security under the collision resistance of a generalized compact knapsack function. However, their security analysis requires the witness indistinguishability property, leading to significant inefficiency and an increase of sizes of public key and signature. To overcome the efficiency issue associated with the WI property, we introduce a new lattice-based assumption, called the target-modified one-wayness problem of the GCK function and show its reduction to well-known lattice-based problems. Additionally, we present a simple and efficient GCK-based signature scheme, GCKSign, whose security is based on the Module GCK-TMO problem in the random oracle model. GCKSign is a natural extension of Lyubashevsky’s scheme in a module setting, but achieves considerable efficiency gains due to eliminating the witness indistinguishability property. As a result, GCKSign achieves approximately 3.4 times shorter signature size and 2.4 times shorter public key size at the same security level.


Introduction
The generalized compact knapsack (GCK) function [1] is defined with a ring-Short Integer Solution (SIS) instance over a polynomial-based ring R n,q for some modulus q.Specifically, for a random ring-SIS instance a ¼ ða 1 ; . . .; a m Þ 2 R m n;q , the GCK function F a : R m n;q !R n;q is computed as t ¼ F a ðxÞ ¼ P m i¼1 a i x i for a domain element x 2 R m n;q with short coefficients.In 2002, Micciancio [1] showed that the function F a is one-way, assuming the worst-case hardness of some shortest independent vector problems (SIVP) on cyclic lattices in a ring.Furthermore, in 2006, researchers [2,3] proved that the GCK function F a is collision-resistant, assuming the worst-case hardness of some shortest vector problems (SVP) for ideal lattices in a ring.Additionally, the GCK function has the linearity property, which states that F a (c 1 x 1 + c 2 x 2 ) = c 1 F a (x 1 ) + c 2 F a (x 2 ) for any ring elements c 1 , c 2 2 R n,q and any domain elements x 1 ; x 2 2 R m n;q .Based on the aforementioned properties of the GCK function, Lyubashevsky [4] proposed a GCK-based signature scheme in 2009, using the Schnorr-like identification protocol and the Fiat-Shamir transform [5].The main idea of [4] is to set up a public key as (a, t = F a (s)) and its corresponding signing key as s, where s 2 R m q is a vector of short polynomials.The signing procedure begins by sampling a short vector y 2 R m q (from a suitable distribution) and computing v = ay(= F a (y)).The signer then computes c = H (v, μ), where H is a hash function and μ is a message, and z = y + sc.To ensure that the distribution of z is independent of the secret s, preventing any leakage of information about s, the signer employs a rejection rule on z.Following this rejection sampling, a signature (z, c) is generated only when z is sampled from the (predefined z's) distribution centered at zero, rather than at sc.Subsequently, the verifier checks whether H(az − tc, μ) is equal to c, and z is sufficiently small.
Although the GCK-based signature proposed by Lyubashevsky has a similar structure with the previous Schnorr signature, their security proof employed in [4] relies on the concept of witness indistinguishability (WI).This notion is essential for proving the security of [4] under the assumption of collusion resistance of the GCK function.WI refers to the property that when choosing an alternative (or multiple) signing key s 0 such that t = F a (s) = F a (s 0 ), the signature (z = y + sc, c) is (statistically) indistinguishable from (z = y + s 0 c, c).In the security analysis, all signatures are simulated using s, but due to the WI property, the adversary cannot know the exact secret key s.Thus, with high probability, it is expected that the adversary succeeds in forging a signature with the other s 0 .In such a case, the rewinding technique [6] enables a reductionist to extract a pair of distinct inputs as a collision of F a .Since breaking the collision resistance of the GCK function implies the ability to solve a ring-SIS problem, the security of the GCK-based signature scheme [4] eventually relies on the hardness of a ring-SIS problem.
However, the WI property results in a significant efficiency drawback in [4].This stems from the fact that the public key t = F a (s) and the corresponding secret key s are generated in such a way as to guarantee collisions in F a .Specifically, s needs to be parametrized so that there exists another valid secret key s 0 such that F a (s) = F a (s 0 ).This requirement mandates that each coefficient of the secret key s be sampled from a relatively large range, for example, [−2047, 2047], resulting in large size of the signature (z, c).To overcome the efficiency issue associated with the WI property and the large bound on s, Lyubashevsky [7] presented an alternative proof technique based on the decisional ring-SIS problem, where t = F a (s) with a small bound on s is indistinguishable from a uniformly random t in R q .Consequently, a (real) GCK-based signature scheme is constructed using s with small coefficients, while a simulated signature scheme in the security proof is provided to the adversary using s 0 with large coefficients.Although the WI property with a small bound on s enables a more efficient GCK-based signature scheme, no known quantum reduction exists from worst-case lattice problems to the decisional ring-SIS problem in ideal lattices [7].
Another approach to circumvent the WI property with large coefficients of s is to construct the public key t using the Learning with Errors (LWE) problem.In this approach, t is computed as t = F a (s) + e, where e is a polynomial sampled from a narrow distribution.Based on the decisional ring-LWE problem, which is to distinguish between a ring-LWE instance and a uniformly random one, the security proof of a ring-LWE-based signature scheme can be established using a similar argument as that of the decisional ring-SIS problem.Importantly, this approach provides improved security against quantum adversaries because there is a reduction from worst-case lattice problems to the decisional ring-LWE problems [8].Leveraging this idea, Gu ¨neysu et al. [9] proposed a ring-LWE-based signature scheme where a signature consists of three components (c, z 1 , z 2 ), where z 1 = y 1 + cs and z 2 = y 2 + ce.Bai and Galbraith [10] reduced the signature size of [9] by omitting z 2 and introducing a compression technique to compensate for the correctness error resulted from e.In 2018, Ducas et al. [11] proposed a signature scheme called Dilithium, which can be viewed as a generalization of [10] based on Module-LWE problems.Additionally, [11] presented a distinct proof technique that does not rely on the WI property used previously.They employed two signature forgeries (by rewinding an adversary) to directly solve a ring-SIS problem concerning (A||t||1) rather than (A||1).Many other signatures based on [4] were proposed [12,13] recently and their security proof also follow the way of Dilithium.

Our contribution
From what has been shown so far, while significant progress has been made in creating efficient lattice-based signatures, the following question still arises: Can we prove the security of GCK-based signature without using the WI property?
The goal of this paper is to give a positive answer to the above problem.To achieve this, we define a relaxed version of the one-wayness problem of the GCK function, called the targetmodified one-wayness (TMO) problem.In essence, the TMO problem is to solve the one-wayness problem of the GCK function approximately rather than exactly: given a ¼ ða 1 ; . . .; a m Þ 2 R m n;q and t = F a (s) 2 R n,q for some s 2 R m n;q , find short polynomials ðx ¼ ðx 1 ; . . .; x m Þ; cÞ 2 R m n;q � R q such that F a (x) = ct.To provide confidence in the TMO problem, we show that the TMO problem is reduced to both the one-wayness and the collision-resistance problems of the GCK function.
Instead of proving the original GCK-based signature scheme [4], we present a more efficient GCK-based signature scheme called GCKSign, which is a natural extension of [4] to the Module-GCK function.We adopt a matrix form of A 2 R k�' q and s 2 R '�1 q and define a Module-GCK function as t ¼ F A ðsÞ ¼ As 2 R k�1 q .Similar to the TMO problem, we establish a Module GCK-TMO problem, and show its reduction to Module-SIS, LWE problems.Notably, we prove that GCKSign is secure in the random oracle model under the Module GCK-TMO problem without relying on the WI property.By eliminating this property, we achieve significant efficiency improvements.In detail, GCKSign achieves a signature size that is about 3.4 times shorter and a public-key size that is about 2.4 times shorter at the same security level, compared to [4].In Section 5, we provide a concrete security and efficiency comparison between [4] and GCKSign.

Preliminaries
We begin by defining the syntax and security of digital signature.We also define two computational hardness problems related to the GCK function.

Notation
For a modulus q 2 N, Z q denotes a quotient group with respect to addition modulo q.Let R n and R n,q respectively be the rings Z½x�=ðx n þ 1Þ and Z q ½x�=ðx n þ 1Þ, where n is a power of two.Vectors with entries in R n,q are denoted by bold lowercase letters, for example, a ¼ ða 1 ; . . .; a m Þ 2 R m n;q where a 1 , . .., a m 2 R n,q for some positive integer m.R ðhÞ n;q denotes a subset of R n,q , consisting of polynomials with coefficients of which only a fixed number of h is −1 and 1, and all other coefficients are zero.We notice that jR ðhÞ n;q j ¼ 2 h � n h À � .For a positive integer x, R [−x,x] denotes a set of R n,q , consisting of polynomials with coefficients between [−x, x].The notation k�k 1 refers to the infinity norm.

Digital signature
Definition 1.A digital signature (DS) scheme for a message space M consists of three algorithms: KeyGen, Sign, and Verify such that: • KeyGen(λ): The key generation algorithm takes as input a security parameter λ and outputs a pair of keys (pk, sk).These keys are called the public key and the private key.
• Sign(sk, μ): The signing algorithm takes as input the private key sk and a message m 2 M, and then outputs a signature σ.
• Verify(pk, μ, σ): The verification algorithm takes as input the public key pk, a message μ and a signature σ, and then outputs 1 if the signature is valid or 0 otherwise.
Definition 2 (Existential unforgeability).Let DS ¼ ðKeyGen; Sign; VerifyÞ be a digital signature scheme.The existential unforgeability against chosen-message attacks (UF-CMA) is defined via the following experiment UF-CMA A  DS ðlÞ between a challenger C and an adversary A: 1. C runs the key generation algorithm to get (pk, sk) and gives pk to A.

2.
A queries a signing oracle with a message μ.Let Q denote the set of all queries that A queried.

The advantage of A for breaking the UF-CMA security of DS is defined as
We say that a DS scheme is UF-CMA secure if for any polynomial-time adversary A, we have Adv UF-CMA DS ðAÞ � �ðlÞ, where � is a negligible function for the security parameter λ.

GCK hardness problems
Definition 3 (GCK Function [1]).For a ring R n,q , a subset S � R n,q , an integer m � 1, and a randomly and independently chosen a ¼ ða 1 ; . . .; a m Þ 2 R m n;q , the GCK function F a : S m !R n,q is defined as follows: for x 2 S m � R m n;q , where P m i¼1 a i x i is computed using the ring multiplication and addition operations.
In this paper, we specify the subset S as S = R [−β,β] for some integer β.

Definition 4 (One-Wayness of GCK function [1]). A GCK function is one-way (OW) if for any probabilistic polynomial-time (PPT) algorithm A, it is easy to compute, but computationally hard to invert the GCK function:
given a pair (a, t = F a (x)) for a randomly chosen a 2 R m q and x 2 R m ½À b;b� , find x in the domain such that F a (x) = t.For integers n; m; q; b 2 N, we define Adv OW n;m;q;b to be the advantage of an algorithm A in solving the OW problem of a GCK function over the ring R n,q .
Definition 5 (Collision-Resistance of GCK function [2,3]).A GCK function is collisionresistant (CR) if for any probabilistic polynomial-time (PPT) algorithm A, it is computationally hard to find a collision of a GCK function: given a randomly chosen a 2 R m q , find distinct x; x 0 2 R m ½À b;b� such that F a (x) = F a (x 0 ).For integers n; m; q; b 2 N, we define Adv CR n;m;q;b to be the advantage of an algorithm A in solving the CR problem of a GCK function over the ring R n,q .
3 Main results

GCK-TMO problem
Now, we define a new GCK-related problem, called TMO problem of the GCK function.
Definition 6 (Target-Modified One-wayness of GCK function).For integers n; m; q; a; b 2 N, the TMO problem is defined as follows: given a 2 R m n;q and t 2 R n,q , find x 2 R m n;q and c 2 R n,q such that kck 1 � α, kxk 1 � β satisfying The TMO problem is a modified OW problem of a GCK function, obtained by changing the original target t into a new ct.The important point is that c 2 R q should be short, meaning that kck 1 � α for a small integer α, and can also be chosen by a solver as desired.Intuitively, the TMO problem becomes trivial if c is chosen freely in R q , because for a short x such that kxk 1 � β, F a (x) = t 0 is firstly computed and then c is obtained via c = t 0 t −1 (if t −1 exists).Also, the OW problem of a GCK function can be viewed as a special case of the TMO problem by issuing (x, c = 1) as a solution.For integers n; m; q; a; b 2 N, we define Adv TMO n;m;q;a;b to be the advantage of an algorithm A solving the TMO problem over the ring R n,q .
3.1.1Computational hardness of the TMO problem.By deriving an upper bound on Adv TMO n;m;q;a;b from the following reduction, we demonstrate that the TMO problem is at least as hard as the CR and OW problems of a GCK function.For our reduction, we require a special form of (n, q) that determines a ring R q ¼ Z q =ðx n þ 1Þ, in order to guarantee that a short c 2 R q has an inverse.More precisely, we require that n and ρ are power-of-2 integers such that n � ρ, and q is a prime such that q � 2ρ + 1 (mod 4ρ).We then use the result [14, Corollary 1.2.] that, for any short c 2 R q such that kck 1 < ð1= ffi ffi ffi r p Þ � q 1=r , c has an inverse in R q with probability 1.
Theorem 1.Let n and ρ be power-of-2 integers such that n � ρ, and q is a prime such that q � 2ρ + 1 (mod 4ρ).For integers m; a; b; g 2 N satisfying a < ð1= ffi ffi ffi r p Þ � q 1=r , (2β + 1) mn � q n and nαγ � β, it holds that Adv TMO n;m;q;a;b � Adv CR n;m;q;b þ Adv OW n;m;q;g .Proof.Suppose there is an algorithm A that solves the TMO problem with advantage Adv TMO n;m;q;a;b for any α such that a < ð1= ffi ffi ffi r p Þ � q 1=r .Recall that A takes (a, t) as input and tries to find a pair (x, c) such that F a (x) = ct, satisfying the condition that kck 1 � α, kxk 1 � β.
According to [14, Corollary 1.2.], any c 2 R n,q that satisfies kck 1 < ð1= ffi ffi ffi r p Þ � q 1=r has an inverse in R n,q .Since α is less than ð1= ffi ffi ffi r p Þ � q 1=r , the short polynomial c always has an inverse in R n,q .With (x, c) that A outputs, we set z = xc −1 by considering c −1 as a scalar.Since the GCK function F a is linear, we see that For the integer g 2 N satisfying γ � β/nα, we consider two cases as follows: Case 1: Obviously, A's output (x, c) belongs to either case 1 or case 2. In case 1, we show that an algorithm B uses A to solve the CR problem of a GCK function.The assumption that (2β + 1) mn � q n guarantees that it is presumably feasible to find a pair of collision with respect to any element in R q .Given a 2 R m q as input, B does as follows: 1. Choose a random z 0 2 R m ½À g;g� .

Run
A on input (a, t) and get (x, c) from A.
For (x, x 0 ) to be a solution of the CR problem, we need to show that F a (x) = F a (x 0 ), kxk 1 � β, kx 0 k 1 � β, and x 6 ¼ x 0 .First, since (x, c) is a solution for the TMO problem, it means that F a (x) = ct.Also, we set t = F a (z 0 ) in step 2. By the linearity property of GCK function, it holds that ct = cF a (z 0 ) = F a (cz 0 ) = Fa(x 0 ).Thus, F a (x) = ct = F a (x 0 ).Secondly, it holds that kxk 1 � β because x is the solution of the TMO problem, and also kx 0 k 1 � β because (1) γ � β/nα (by assumption) and (2) kx 0 k 1 � n × kck 1 × kz 0 k 1 � nαγ � β.Lastly, we can see that x 6 ¼ x 0 .Note that in case 1 where z is computed as xc −1 , we see that z 6 ¼ z 0 because of the fact that kzk 1 > γ (in case 1) and kz 0 k 1 � γ (in step 1).This inequality means that xc −1 6 ¼ x 0 c −1 , resulting in Next, in case 2, we show that there is another algorithm C that uses A to solve the OW problem of a GCK function.Given (a, t) as input, C does as follows: 1. Run A on input (a, t) and get (x, c) from A.
The reason why z is a solution for the OW problem is that it holds that F a (z) = t and kzk � γ by the condition of case 2.
As a result, the ability for A to solve the TMO problem is transferred to that of solving the CR or OW problem of a GCK function.We see that Adv TMOðcase 1Þ n;m;q;a;b � Adv CR n;m;q;b and Adv TMOðcase 2Þ n;m;q;a;b � Adv OW n;m;q;g in case 2. This completes the proof.

Extension to module GCK-TMO problem.
The GCK function can be extended to a module setting where F A (x) = A x for A 2 R k�' n;q and x 2 R '�1 ½À b;b� .Accordingly, the previous OW, CR, and TMO problems of GCK function can each be addressed with similarly defined problems in a module setting.In particular, we define a module version of TMO problem as below.
Definition 7 (Module GCK-TMO Problem).For integers n; k; '; q; a; b 2 N, the Module GCK-TMO problem is defined as follows: given A 2 R k�' n;q and t 2 R k�1 n;q , find ðx; cÞ 2 R '�1 n;q � R n;q such that kck 1 � α, kxk 1 � β satisfying Similarly, we define Adv M-TMO n;k;';q;a;b to be the advantage of an algorithm A solving the TMO problem of Module-GCK function over the ring R n,q .With two newly defined advantages Adv M-CR n;k;';q;b and Adv M-OW n;k;';q;g (for some positive integer γ) regarding Module-GCK function, we can prove the following theorem.
Theorem 2. Let n and ρ be power-of-2 integers such that n � ρ, and q is a prime such that q � 2ρ + 1 (mod 4ρ).For integers k; '; a; b; g 2 N satisfying a < ð1= ffi ffi ffi r p Þ � q 1=r , (2β + 1) nℓ � q nk and nαγ � β, it holds that Adv M-TMO n;k;';q;a;b � Adv M-CR n;k;';q;b þ Adv M-OW n;k;';q;g .The proof can be done by the same argument as in the proof of Theorem 1 so we omit the proof in this paper.

Construction.
For the security parameter λ, GCKSign generates the public parameters, params, as follows: choose an integer n such that n = 2 a for an integer a 2 N (indeed, we set n = 256 for all parameter sets), and choose a prime modulus q and positive integers k, ℓ, B, h, L s and η.Then, params is given by (n, q, k, ℓ, B, h, L s , η).Also, GCKSign requires a hash 6 end if 7 return 1;

Correctness.
The way that GCKSign works is almost the same as Schnorr signature scheme, except for (1) rejection sampling in the Sign algorithm and (2) the usage of the encoding function.For a correctly generated s ¼ ðz; ĉÞ, the first condition such that kzk 1 < B − L s holds, because it is the same as in the Sign algorithm, and the second condition is also guaranteed by the following equation ðAÞ, making at most q h hash queries and at most q s signature queries, there exists a PPT algorithm B that solves the TMO problem with Adv TMO n;k;';q;2;2ðBÀ L s Þ , where ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi ffi q h Adv TMO n;k;';q;2;2ðBÀ Proof.In order to prove the security of GCKSign, we define a sequence of hybrid games G 0 , G 1 , G 2 , where G 0 is the original UF-CMA security game defined in Chapter 2.2 and G 2 is the final game in which the success probability of A can be easily bounded by the hardness of the TMO problem.For each game G i , we define an event δ i where A successfully outputs a forgery in the game G i .
Game G 0 .In this game, a challenger C runs the key generation algorithm to get (pk, sk) and gives pk to A. Whenever A asks a hash query (v, μ), C gives the same answer to A if the query has been asked before.If not, C chooses a random ĉ 2 f0; 1g ' 1 and gives it to A. Whenever A asks a signature query μ, C runs the signing algorithm to get a signature σ and gives s ¼ ðz; ĉÞ to A. Finally, A outputs (μ*, σ*) with the condition that μ* was not queried.C returns Verify (pk, μ*, σ*) as the output of the experiment.Thus, we get Pr½d 0 � ¼ Adv UF-CMA PKS ðAÞ.Game G 1 .G 1 is the same as G 0 except that the signing queries are replaced by the MidSign algorithm (see Algorithm 4 below).Since two games G 0 and G 1 are the same except that the random hash value ĉ is programmed before receiving the input (v, μ).A can not tell if the signing oracle was answered by the Sign algorithm or the MidSign algorithm.Let inconsistency be the event that any ĉ is previously assigned to an input value (v, μ) queried by A. This event occurs when v (computed by C) becomes one of values queried by A, assuming that μ is the same message.Since v ¼ Ay 2 R k�1 q and y is chosen uniformly at random from R '�1 ½À B;B� , the total number of v is (2B + 1) nℓ .For q h number of hash queries, the probability that any ĉ becomes one of queried v values is at most q h /(2B + 1) nℓ .Also, since A issues at most q s number of signature queries, the probability that inconsistency happens is at most q h q s /(2B + 1) nℓ .Obviously, unless inconsistency happens, G 1 is the same as G 0 .Thus, we see that |Pr[δ 1 ] − Pr[δ 0 ]| � q h q s /(2B + 1) nℓ .
Game G 2 .G 2 is the same as G 1 except that the signature queries are replaced by the SimSign algorithm (see Algorithm 5 below).G 2 is the same as G 1 except the way that z and v are generated.Though s ¼ ðz; ĉÞ is generated in G 2 without using sk = s, it is infeasible A to differentiate between G 1 and G 2 because of the zero-knowledge property of the relevant identification protocol.
Algorithm The remaining part is to check if A can distinguish between the two distributions of ðz; ĉ; vÞ in G 1 and G 2 , especially in terms of v.In G 1 , v is computed as v = Ay for some ½À B;B� .If so, the two distribution of ðz; ĉ; vÞ in G 1 and G 2 are identical from the A's point of view.To guarantee this, we can set r = z − cs for some (unknown) secret key s 2 R '�1 ½À Z;Z� such that t = As.Then, we see that Ar = A(z − cs) = Az − ct = v.Since kcsk 1 � L s (by assumption) and kzk 1 � B − L s (by choosing z), we get krk 1 � kzk 1 + kcsk 1 � B − L s + L s = B, which is the same distribution as G 1 .As a result, we have that Pr[δ 2 ] = Pr[δ 1 ].

Parameter settings
Table 1 presents several conditions necessary for choosing the parameters for GCKSign.The proof of Theorem 3 indicates that the TMO problem of the Module-GCK function is specified by the parameters as α = 2 and β = 2(B − L s ).Also, because the number of non-zero coefficients of c is h, for any s 2 R '�1 ½À Z;Z� , it holds that kcsk 1 � hη, allowing for setting L s = hη.Based on these requirements, Table 2 proposes three sets of parameters for GCKSign.We set η = 1 as the bound for the secret key polynomial s, and set ρ = 8 for all parameter sets in order to choose q that meets the requirement (2) in Table 1.

Concrete security analysis
As shown above, the security of GCKSign relies on the TMO problem of Module-GCK function relative to Adv TMO n;k;';q;2;2ðBÀ L s Þ .By Theorem 2, the security is further reduced to the CR and OW problems of Module-GCK function relative to Adv M-CR n;k;';q;2ðBÀ L s Þ and Adv M-OW n;k;';q;g where γ is determined by the requirement (3) γ � β/(nα) in Table 1.Also, we use the fact the CR problem of Module-GCK function is reduced to Module-SIS problem relative to Adv M-SIS n;k;';q;2ðBÀ L s Þ , and (using the Hermite normal form) the OW problem of Module-GCK function is reduced to Module-LWE problem relative to Adv M-LWE n;k;ð'À kÞ;q;g .Strictly speaking, 4(B − L s ) is more correct than 2(B − L s ), but we follow the same analysis as Dilithium [11] to analyze the security of Module-SIS.Regarding the choice of γ, especially, γ can be chosen from any positive integer satisfying γ � 2(B − L s )/(2 8 × 2), but we set γ = 1 for the Module-LWE problem.This is because a smaller ratio of q/γ (i.e., modulus-to-noise) generally provides stronger concrete security against known lattice attacks [15], and thus decreasing γ is more advantageous for an adversary solving Module-LWE problem when q is fixed.Eventually, the concrete security of GCKSign is estimated by the best-known lattice attacks against Module-{SIS, LWE} problems relative to Adv M-SIS n;k;';q;2ðBÀ L s Þ and Adv M-LWE n;k;ð'À kÞ;q;1 , respectively.The existence of a solution with respect to γ = 1 is guaranteed by the key generation such that t = As with A 2 R k×ℓ and s 2 R '�1 ½À 1;1� .To analyze the concrete security of the above Module-{SIS, LWE} problems, we use the BKZ lattice reduction algorithm [16] as the best-known lattice attacks.There are a variety of approaches to measure the running time of BKZ [16][17][18].In general, an SVP (Shortest Vector Problem) solver is the main building block of the BKZ algorithm.Regarding the number of SVP oracle calls that the BKZ algorithm makes, the Core-SVP model [18] assumes that an SVP oracle is required only once in a conservative model.The best known classical SVP solver runs in time � 2 0.292×b and the best known quantum SVP solver runs in time � 2 0.265×b .Therefore, we decide to adopt the BKZ cost model of 0.292b for the classical model and the BKZ cost model of 0.265b for the quantum model where b is the BKZ block size.Table 2 shows the concrete security level of GCKSign, according to each parameter set.To estimate the hardness of the parametrized Module-{SIS, LWE} problems, we make use of the SIS and LWE estimators in [11] that reflect the above-mentioned BKZ algorithm.

Comparison
Table 3 presents the comparison between the two GCK-based signatures, [4] and GCKSign.In terms of security, [4] is based on the collision-resistance of GCK function, whereas GCKSign is based on the TMO problem of Module-GCK function.Because of the collision resistance in [4], their GCK function must be set to guarantee the WI property, which requires to satisfy the condition (at least) (2η + 1) nℓ � q nk × 2 128 for the coefficient bound η of a secret key polynomial.[4] sets η = 2047, which turns out to increase the sizes of public/secret keys and signatures.On the other hand, GCKSign removes the WI property by proving their security under the TMO problem of GCK function, and importantly is able to relax to the condition (at least) (2β + 1) nℓ � q nk × 2 128 for β = 2(B − L s ).Because of this relaxation, GCKSign can set much smaller values of q and η, and obtain a significant increase in efficiency compared to [4].For instance, Table 3 shows that at the (almost) same 132-bit security level, the signature size of GCKSign is about 3.4 (� 14875/4384) times shorter and the public-key size of GCKSign is about 2.4 (� 6125/2528) times shorter, compared to [4].However, the sizes of public key and signature of GCKSign are about 1.8 (� 2528/1312) times and 1.9 (� 4384/2420) times larger, compared to [11] at the (almost) same 132-bit security level.This is caused by the key recovery attack.An adversary may try to recover the secret key s from the public key pk = (A, t), where t = As in case of GCKSign.Because s is sampled from R '�1 ½À Z;Z� and η = 1, this amounts to solving the OW problem of Module-GCK function, which is reduced to the Module-LWE problem relative to Adv M-LWE n;k;ð'À kÞ;q;1 , and the dimension is reduced to ℓ − k instead of ℓ itself.Therefore, We need to increase the dimension for our scheme by k to maintain the security level which the LWE-based signature sets like Dilithium and this leads to increase of the sizes of public key and signature at the end.

Performance analysis
In Table 2, we evaluate the performance of our implementations on a 3.7GHz Intel Core i7-8700k running Ubuntu 20.04 LTS.The table shows the key generation, signing, and verification algorithms of our scheme.Our implementation codes are publicly available at https:// github.com/KU-Cryptographic-Protocol-Lab/GCKS.A polynomial multiplication is the most costly operation in implementing a cryptosystem.We choose the modulus q satisfying the condition q � 2ρ + 1 mod 4ρ for some ρ|n to satisfy the security requirement.As a result, we can not use the "fully-splitting" NTT algorithm for the multiplication operation.Instead, we choose to follow the approach of [14], using "partially-splitting" NTT algorithm with a Karatsuba multiplication [19] and Toom-Cook polynomial multiplication method [20] to efficiently multiply in a partially-splitting ring.

Conclusion
In this paper, we have addressed the challenge of proving the security of GCK-based signature schemes without relying on the WI property.By introducing the TMO problem and showing its reduction to the one-wayness and collision-resistance problems of the GCK function, we have provided a solution to overcome the limitations imposed by the WI property in GCKbased signatures.Additionally, we have presented a more efficient GCK-based signature scheme, GCKSign, which extends the original scheme [4] by incorporating the Module-GCK function.Through the analysis of the Module GCK-TMO problem and its reduction to Module-{SIS, LWE} problems, we prove the security of GCKSign in the random oracle model without relying on the WI property.
One notable result of our work is the significant reduction in signature size and public key size compared to Lyubashevsky's signature scheme [4].GCKSign achieves approximately 3.4 times shorter signature size and 2.4 times shorter public key size at the same security level.This efficiency improvement directly stems from the elimination of the WI property.
Even though our scheme still has larger sizes than Dilithium [11], our findings not only contribute to the advancement of GCK-based signature scheme [4] but also provide insights into the design and analysis of cryptographic primitives based on structured lattice problems.The TMO problem introduces a novel perspective on approximate one-wayness, and its connections to existing hardness assumptions offer new avenues for future research.In future work, it would be interesting to explore the applicability of the TMO problem in other cryptographic protocols and settings.
Assume that kcsk 1 � L s and H is modeled as a random oracle.GCKSign is UF-CMA secure in the random oracle model if the TMO problem of the Module-GCK function is hard.That is, for any PPT adversary A with Adv UF-CMA DS